You've probably been told to "look for the padlock" before entering your card details online. It's good advice as far as it goes, but it's also widely misunderstood. The padlock and the "https" in a web address tell you something real and useful — but they tell you almost nothing about whether the business running the site is trustworthy, legitimate, or even real. Understanding the difference can save you from a false sense of security.

What HTTPS Actually Does

HTTPS stands for HyperText Transfer Protocol Secure. In plain terms, it encrypts the connection between your browser and the website's server. That encryption means that if someone is snooping on the network — say, on public Wi-Fi at a coffee shop — they can't easily read the data passing between you and the site, such as passwords or card numbers as they're transmitted.

The padlock icon your browser shows is simply a signal that this encryption is switched on for the page you're viewing. It confirms two things: your connection is private in transit, and you're actually talking to the server that owns that domain name (not an imposter intercepting the traffic). That's it. That's the whole guarantee.

What the Padlock Does Not Mean

This is the part that trips people up, because for years the padlock was treated as a general "safe to trust" seal. It never was, and today it's even less meaningful as a trust signal, for a simple reason: getting HTTPS has become fast, free, and automatic for almost anyone who wants a website.

The padlock does not mean:

  • That the business behind the site is real, registered, or reachable
  • That the products are genuine, in stock, or will ever be shipped
  • That the company will honor refunds, warranties, or your legal consumer rights
  • That the site isn't running a scam, a fake shop, or a phishing page
  • That anyone has reviewed or vetted the site's content or intentions

Scammers know that people look for the padlock, so they make sure their fake shops and phishing pages have one too. Setting up HTTPS today typically takes minutes and costs nothing, so it's no longer a meaningful filter between honest and dishonest sites — both have it.

Why This Confusion Happened

In the early days of the web, getting an HTTPS certificate involved more verification and sometimes a real cost, so sites that bothered were often more established. Browsers reinforced the idea by showing a reassuring green padlock or even the word "Secure" in the address bar. Over time, as encryption became the default expectation for the entire web (a good thing for privacy), the padlock stopped being a signal of anything beyond "this connection is encrypted." Most browsers today have quietly dropped the green color and the word "Secure," partly because they don't want people over-trusting it.

What to Check Instead

If the padlock doesn't tell you whether a site is honest, what does? No single signal is perfect, but together these give you a much better picture:

  • The domain name itself. Look closely for misspellings, extra words, or unusual endings mimicking a brand you know (a well-known retailer's name with a strange suffix, for instance).
  • How you arrived there. Did you type the address yourself, or click a link from an unsolicited email, text, or ad? Unexpected links are a common route to fake sites.
  • Contact and company details. Legitimate businesses usually list a real address, a working customer service contact, and clear company information. Vague or missing details are a warning sign.
  • Site age and reputation. A quick search for the site's name plus words like "reviews" or "complaints" can surface other people's experiences. Very new sites with no history deserve extra caution.
  • Payment method offered. Be wary of stores that push unusual payment methods (direct bank transfer, cryptocurrency, gift cards) instead of standard card payment or recognized payment services, especially for ordinary retail purchases.
  • Pricing and pressure tactics. Deep discounts on branded goods, countdown timers, and urgent "only 2 left" messages are classic pressure tactics used on fake storefronts.
  • Policies that hold up. Check that returns, shipping, and privacy policies exist, are specific, and make sense — not just generic filler text.

A Simple Way to Think About It

HTTPS answers the question "is this connection private?" It does not answer the question "is this business honest?" Those are two completely different questions, and only the second one actually protects your money.

Before you check out on any unfamiliar site, treat the padlock as table stakes, not proof. It's necessary, but nowhere near sufficient. Use it alongside the other checks above, and when in doubt, take a moment to look the site up before you hand over your card details. A minute of research is a small price for peace of mind.